"Joshua D. Drake" <jd@commandprompt.com> writes:
> On 07/18/2018 04:25 PM, Tom Lane wrote:
>> This is exactly the kind of area in which I'm concerned for the
>> possibility of sloppily-written scripts being a net negative for
>> security.
> Although I appreciate the concern, can we not worried about this? Your
> argument basically boils down to: Dumb will be Dumb. That will not
> change no matter what we do as is obvious by the number of people STILL
> using postgres as their connected web app user. The usability of this
> feature if fleshed out correctly is pretty large.
Sorry, I don't buy that line of argument. The *only* reason for this
feature to exist is if it allows ready creation of security solutions
that are actually more secure than a non-world-readable .pgpass file.
That's a much higher bar than many people realize to begin with ...
and if it comes along with huge risk of security foot-guns, I do not
think that it's going to be a net advance.
One reason I'd like to see a concrete use-case (or several concrete
use-cases) is that we might then find some design that's less prone
to such mistakes than "here, run this shell script" is going to be.
I'm vaguely imagining exec'ing a program directly without a layer
of shell quoting/evaluation in between; but not sure how far that
gets us.
Another question that ought to be asked somewhere along here is
"how well does this work on Windows?" ...
regards, tom lane